<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Uh..., probably it is not so good to publish security issues on a public list.<div class="">The official way is</div><div class=""><a href="https://koha-community.org/security/" class="">https://koha-community.org/security/</a></div><div class="">if I'm not wrong.</div><div class="">sb<br class=""><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 15 Mar 2017, at 16:57, Devinim Koha Development Team <<a href="mailto:kohadevinim@devinim.com.tr" class="">kohadevinim@devinim.com.tr</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
  
    <meta content="text/html; charset=windows-1252" http-equiv="Content-Type" class="">
  
  <div bgcolor="#FFFFFF" text="#000000" class=""><p class="">Hi,</p><p class="">In that case we can reach the user detailed information without
      giving a password by curl.</p><p class="">If you want we can share the code how to get this information
      without authentication, from this list.<br class="">
    </p>
    <br class="">
    <div class="moz-cite-prefix">On 15-03-2017 18:50, Jonathan Druart
      wrote:<br class="">
    </div>
    <blockquote cite="mid:CAJzKNY4b5eQbScx+ZKZgJzJQog1F+2J-VgAsTsFOeTm9zG=5SQ@mail.gmail.com" type="cite" class="">
      <div dir="ltr" class="">
        <div class="">
          <div class="">
            <div class="">
              <div class="">
                <div class="">Hi,<br class="">
                </div>
                <br class="">
                authnotrequired is set to 1 because <a moz-do-not-send="true" href="http://opac-memberentry.pl/" class="">opac-memberentry.pl</a>
                is also used by the self registration feature.<br class="">
              </div>
              The patron information displayed is based on the logged in
              user, not a parameter passed to the script.<br class="">
              <br class="">
            </div>
            Everything looks ok to me.<br class="">
            <br class="">
          </div>
          Regards,<br class="">
        </div>
        Jonathan<br class="">
        <br class="">
        <div class="gmail_quote">
          <div dir="ltr" class="">On Wed, 15 Mar 2017 at 12:18 Devinim Koha
            Development Team <<a moz-do-not-send="true" href="mailto:kohadevinim@devinim.com.tr" class="">kohadevinim@devinim.com.tr</a>>
            wrote:<br class="">
          </div>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000" class="gmail_msg"><p class="gmail_msg">Hi all,</p><p class="gmail_msg">In the <a moz-do-not-send="true" href="http://opac-memberentry.pl/" class="gmail_msg" target="_blank">opac-memberentry.pl</a>
                authnotrequired area is 1 by default, in that case, user
                information can be reached without given a user
                authentication <br class="gmail_msg">
              </p><p class="gmail_msg">and this can lead some
                vulnerabilites, do we miss something? We were not able
                to understand why it is 1 by default?</p><p class="gmail_msg">Thanks.<br class="gmail_msg">
              </p>
            </div>
            <div bgcolor="#FFFFFF" text="#000000" class="gmail_msg">
              <div class=" m_1657876652455208796moz-cite-prefix
 gmail_msg">On 14-03-2017 11:33, Chris Cormack wrote:<br class="gmail_msg">
              </div>
              <blockquote type="cite" class="gmail_msg">Hi, <br class="gmail_msg">
                <br class="gmail_msg">
                Normally once they are released the release maintainer
                shifts them out of security. That one got missed,
                shifted now <br class="gmail_msg">
                <br class="gmail_msg">
                Chris <br class="gmail_msg">
                <br class="gmail_msg">
                <div class="gmail_quote gmail_msg">On 14 March 2017
                  9:13:51 PM NZDT, Devinim Koha Development Team <a moz-do-not-send="true" class=" m_1657876652455208796moz-txt-link-rfc2396E
 gmail_msg" href="mailto:kohadevinim@devinim.com.tr" target="_blank"><kohadevinim@devinim.com.tr></a>
                  wrote:
                  <blockquote class="gmail_quote gmail_msg" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px
                    solid rgb(204,204,204);padding-left:1ex">
                    <pre class="gmail_msg m_1657876652455208796k9mail">Hi all,

How can we see the fixes of security bugs?

We've faced with a vulnerability with Bug# 16969 in a new version, but 
it's said that it was fixed in 3.22.10.


Thanks.

Devinim Koha Dev. Team

<hr class="gmail_msg">
Koha-devel mailing list
<a moz-do-not-send="true" class="gmail_msg m_1657876652455208796moz-txt-link-abbreviated" href="mailto:Koha-devel@lists.koha-community.org" target="_blank">Koha-devel@lists.koha-community.org</a>
<a moz-do-not-send="true" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel" class="gmail_msg" target="_blank">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a moz-do-not-send="true" href="http://www.koha-community.org/" class="gmail_msg" target="_blank">http://www.koha-community.org</a>/
git : <a moz-do-not-send="true" href="http://git.koha-community.org/" class="gmail_msg" target="_blank">http://git.koha-community.org</a>/
bugs : <a moz-do-not-send="true" href="http://bugs.koha-community.org/" class="gmail_msg" target="_blank">http://bugs.koha-community.org</a>/
</pre></blockquote></div>

-- 

Sent from my Android device with K-9 Mail. Please excuse my brevity.


</blockquote>
</div>_______________________________________________

Koha-devel mailing list

<a moz-do-not-send="true" href="mailto:Koha-devel@lists.koha-community.org" class="gmail_msg" target="_blank">Koha-devel@lists.koha-community.org</a>

<a moz-do-not-send="true" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>

website : <a moz-do-not-send="true" href="http://www.koha-community.org/" rel="noreferrer" class="gmail_msg" target="_blank">http://www.koha-community.org/</a>

git : <a moz-do-not-send="true" href="http://git.koha-community.org/" rel="noreferrer" class="gmail_msg" target="_blank">http://git.koha-community.org/</a>

bugs : <a moz-do-not-send="true" href="http://bugs.koha-community.org/" rel="noreferrer" class="gmail_msg" target="_blank">http://bugs.koha-community.org/</a></blockquote></div></div>


<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="" class="">_______________________________________________
Koha-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-community.org</a>
<a class="moz-txt-link-freetext" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a class="moz-txt-link-freetext" href="http://www.koha-community.org/">http://www.koha-community.org/</a>
git : <a class="moz-txt-link-freetext" href="http://git.koha-community.org/">http://git.koha-community.org/</a>
bugs : <a class="moz-txt-link-freetext" href="http://bugs.koha-community.org/">http://bugs.koha-community.org/</a></pre>

</blockquote>
</div>_______________________________________________<br class="">Koha-devel mailing list<br class=""><a href="mailto:Koha-devel@lists.koha-community.org" class="">Koha-devel@lists.koha-community.org</a><br class="">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel<br class="">website : http://www.koha-community.org/<br class="">git : http://git.koha-community.org/<br class="">bugs : http://bugs.koha-community.org/</div></blockquote></div><br class=""></div></div></body></html>